Summary From the Last Lecture • Key Exchange

Summary From the Last Lecture
• Key Exchange
– Diffie-Hellman
– Symmetric crypto
(KDC idea, Needham-Shroeder, Kerberos)
– Asymmetric crypto – certificates
• Stolen keys recovery
• Group keys
• Authentication
– Something you know (passwords, handle storage,
handle network transmission)
– Something you have, something about you
Single Sign-On
• Passport
• Liberty Alliance
• Shibboleth
Passport v1
• Goal is single sign-on
– Solves problem of weak or repeated user/pass
combinations
• Implemented via redirections
– Users authenticate themselves to a common server,
which gives them tickets
– Similar flavor to Kerberos but different environment
– many organizations
• Widely deployed by Microsoft
– Designed to use existing technologies in
servers/browsers (HTTP redirect, SSL, cookies,
Javascript)
David P. Kormann and Aviel D. Rubin,
Risks of the Passport Single Signon Protocol,
Computer Networks, Elsevier Science Press,
volume 33, pages 51-58, 2000.
How Passport Works
• Client (browser), merchant (Web server),
Passport login server
• Passport server maintains authentication
info for client
– Gives merchant access when permitted by client
• Divides client data into profile (address) and
wallet (credit card)
David P. Kormann and Aviel D. Rubin,
Risks of the Passport Single Signon Protocol,
Computer Networks, Elsevier Science Press,
volume 33, pages 51-58, 2000.
How Passport Works
SSL
Token = 3DES encrypted authentication info
using key merchant shares with passport server
Also set cookie at browser (passport)
How Cookies Work
• Placed into browser cache by servers to store
state about this particular user
– Contain any information that server wants to
remember about the user as name/value pairs
– May contain expiration time
– May persist across browser instances
• Returned to server in clear on new access
• Only those cookies created for the server’s
domain are sent to the server
– May not be created by this server
• Usually used for persistent sign in, shopping cart,
user preferences
Cookies for Authentication
• User logs in using her user/pass
– Server sets a cookie with some info – username,
password, session ID …
– Any future accesses return this info to the server who
uses it for authentication (equivalent to user/pass)
– Once user signs out the cookie is deleted and the
session closed at the server
• Problems
– Cookies can be sniffed, remain on the browser because
user did not sign out, be stolen by cross-site scripting
or via DNS poisoning
• Solutions:
– Send cookies over SSL, use timed cookies, secure code,
bind cookies to IP address of the client, encrypt cookies
…
Learn more at:
http://cookies.lcs.mit.edu/pubs/webauth:tr.pdf
David P. Kormann and Aviel D. Rubin,
Risks of the Passport Single Signon Protocol,
Computer Networks, Elsevier Science Press,
volume 33, pages 51-58, 2000.
Some Problems with Passport
• User interface is confusing and may misrepresent
the reality – user may log out from a server but not
from the Passport or vice versa
• Weak keys may be used for 3DES
• Single key is used to encrypt cookies for all clients
• Cookies stay on machine, can be stolen
– No authenticator (timestamp) like in Kerberos, enables
reuse by others
Read more at http://avirubin.com/passport.html
Federated Passport
• Multiple federated identity providers
– E.g. ISPs register own users
– One can rely on claims made by other ID providers
• Claims
– Emails, relationships, authorization for scenarios,
ownership of private/public key pair
• Need “translators” for different claim languages
Liberty Alliance
• Similar to Federated Passport, i.e. no
central authority
• Use SAML (Security Association Markup
Language) to describe trust across
authorities, and what assertions mean from
particular authorities
• Four assurance levels
– How much we trust a given identity assertion
– Little, some, high and very high confidence
Federated Identity - Shibboleth
• Service Provider
– Browser goes to Resource Manager who uses
WAYF, and user’s Attribute Requester, and
decides whether to grant access.
• “Where are you from” (WAYF) service
– Redirects to correct servers
• Federation to form trusted relationships
between providers
3. Where are you from?
2. I don’t know you, or
where you are from
4. Redirect to IdP for your org
Client
Web Browser
1. User requests
resource
8
5. I don’t know you.
Authenticate using your
org’s web login
1
3
5
2
Service Provider (SP)
Web Site
WAYF
4
6
Identity Provider
(IdP)
Web Site
LDAP
7
8. Based on attribute
values, allow access to
resource
7. I don’t know your attributes. Ask
the IdP (peer to peer)
6. I know you now.
Redirect to SP, with a
handle for user
Source: Kathryn Huxtable [email protected]
10 June 2005
Generic Security Services API
Moving up the Stack
• Common API for client-server authentication
• Standard interface for choosing among
authentication methods
– Once an application uses GSS-API, it can be changed
to use a different authentication method easily
• No code rewriting required
• Dominant implementation is Kerberos
– Some procedure calls
• Acquire and release credentials
• Manage security context
– Init, accept, and process tokens (challenges)
• Wrap and unwrap (encrypt/decrypt)
Attacks on Password Authentication
•
•
•
•
Brute force
Dictionary
Guessing
Finding elsewhere
Something You Have
• Cards
– Mag stripe (= password)
– Smart card, USB key
– Time-varying password
• Issues
– How to validate
– How to read (i.e. infrastructure)
Something About You
• Biometrics
– Measures some physical attribute
•
•
•
•
Iris scan
Fingerprint
Picture
Voice
• Issues
– How to prevent spoofing
– What if spoofing is possible? No way to obtain new
credentials
Other Forms Of Authentication
• IP Address
• Caller ID (or call back)
• Past transaction information
– Example of something you know
Multi-factor Authentication
• Require at least two of the classes we
mentioned, e.g.
– Smart card plus PIN
– RSA SecurID plus password
– Biometric and password
Authorization and Policy
Authorization: Two Meanings
• Determining permission
– Is principal P permitted to perform action A on
object U?
• Adding permission
– P is permitted to perform action A on object U
• In this course, we use the first definition
Access Control
• Who is permitted to perform which actions
on what objects?
• Access Control Matrix (ACM)
– Columns indexed by principal
– Rows indexed by objects
– Elements are arrays of permissions indexed by
action
• In practice, ACMs are abstract objects
– Huge and sparse
– Possibly distributed
Example ACM
File/User
Tom
Dick
Harry
Readme.txt
read
read
read, write
passwords
Term.exe
write
read, write, execute
Instantiations of ACMs
• Access Control Lists (ACLs)
– For each object, list principals and actions
permitted on that object
– Corresponds to rows of ACM
File/User
Readme.txt
Tom: read, Dick: read, Harry: read, write
passwords
Harry: write
Term.exe
Tom: read, write, execute
Instantiations of ACMs
• Capabilities
– For each principal, list objects and actions
permitted for that principal
– Corresponds to columns of ACM
• The Unix file system is an example of…?
User
Tom
Readme.txt: read, Term.exe: read, write, execute
Dick
Readme.txt: read
Harry
Readme.txt: read, write; passwords: write
Problems
• Permissions may need to be determined
dynamically
–
–
–
–
Time
System load
Relationship with other objects
Security status of host
• Distributed nature of systems may aggravate this
– ACLs need to be replicated or centralized
– Capabilities don’t, but they’re harder to revoke
Types of Access Control
•
•
•
•
•
Discretionary
Mandatory
Rule-based
Role-based
Originator-controlled
Discretionary Access Control
• Owners control access to objects
• Access permissions based on identity of
subject/object
• E.g., access to health information
Mandatory Access Control
• Rules set by the system, cannot be overriden
by owners
• Each object and subject has a category and a
classification
• Rules speak about how to match categories
and classifications
– Access is granted on a match
Rule-Based Access Control
• Individual subjects are granted access to
objects if allowed by rules
• Rules are set by the system administrator
Role-Based Access Control
• Ability to access objects depends on one’s role
in the organization
• Roles of a user can change
– Restrictions may limit holding multiple roles
simultaneously or within a session, or over longer
periods.
– Supports separation of roles
• Maps to organization structure
Originator-Based Access Control
• Creator of an object decides who will access it
• E.g., owner can listen to a song but cannot
share it with others
Authorization
• Final goal of security
– Determine whether to allow an operation
• Depends upon
– Policy
– Authentication
– Other characteristics
The Role Of Policy
• Policy defines what is allowed and how the system
and security mechanisms should act
• Policy is enforced by mechanism which interprets
it, e.g.
– Firewalls
– IDS
– Access control lists
• Implemented as
– Software (which must be implemented correctly and
without vulnerabilities)
Policy models: Bell-LaPadula
• Focuses on controlled access to classified
information and on confidentiality
– No concern about integrity
• The model is a formal state transition model of
computer security policy
– Describes a set of access control rules which use
security classification on objects and clearances for
subjects
• To determine if a subject can access an object
– Combine mandatory and discretionary AC (ACM)
– Compare object’s classification with subject’s
clearance (Top Secret, Secret, Confid., Unclass.)
– Allow access if ACM and level check say it’s OK
Policy models: Bell-LaPadula
• Three security properties:
– Simple Security Property - a subject at a given
security level may not read an object at a higher
security level (no read-up)
– Star Property - a subject at a given security level must
not write to any object at a lower security level (no
write-down). Strong Star Property – only write to
same level
– The Discretionary Security Property - discretionary
access control specified via an access control matrix
• Trusted subjects - no star property rule
– Transfer info from high clearance to low clearance
Policy Models: Biba
• Like Bell-LaPadula but speaks about integrity
• Cannot write to higher-level objects
• Subject’s integrity drops if it reads a lower-level
object
Security > Mix Of Point Solutions
• Today’s security tools work with no coordinated
policy
– Firewalls and Virtual Private Networks
– Authentication and Public Key Infrastructure
– Intrusion Detection and limited response
• We need better coordination
– Not just who can access what, but policy says what
kind of encryption to use, when to notify IDS
• Tools should implement coordinated policies
– Policies originate from multiple sources
– Policies should adapt to dynamic threat conditions
– Policies should adapt to dynamic policy changes
GAA: Generic Authentication and
Authorization Architecture
INTRUSION
DETECTION
UNDER
ATTACK
Firewalls
Web Servers
GAA API
EACL
Databases
IPSec
Authentication
…
SECURITY
AUDIT
RECORDS
GAA: Integration Through Authorization
• Focus integration efforts on authorization and
the management of policies used in the
authorization decision
– Applications shouldn’t care about authentication or
identity
• Separate policy from mechanism
– Authorization may be easier to integrate with
applications
– Hide the calls to individual security services
• E.g. key management, authentication, encryption, audit
GAA: Extended ACLs
• Positive and negative access right
• Conditions on each rule - evaluated in a given
order
• Sample ACL (http://gost.isi.edu/info/gaaapi/eacl.html)
– Tom cannot login to the host
– Logins from the specified IP address range are
permitted, using either X509 or Kerberos for
authentication if previous login attempts <= 3. If the
request fails, the number of the failed logins should
be updated. The connection duration < 8 h.
– Anyone, without authentication, can check the status
of the host if his IP is in specified range
– Host shut downs are permitted, using Kerberos for
authentication. On success, the user ID must be
logged. On failure, the sysadmin is sent an e-mail
GAA: Conditions
• Pre-conditions
– What must be true in order to grant request
• Request-result
– These conditions must be activated regardless of
whether the access is granted or not
• Mid-conditions
– What must be true during execution of requested
operation
• Post-conditions
– What must be true on completion of requested
operation.
Three Phases of Condition Evaluation
GAA-API
EACL
a.isi.edu, connect, Tom
gaa_get_object_policy_info()
gaa_check_authorization()
T/F/U
gaa_execution_control()
T/F/U
gaa_post_execution_actions()
T/F/U
System State
What Dynamic Policies Enable
• Dynamic policy evaluation enables response to
attacks:
– Lockdown system if attack is detected
– Establish quarantines by changing policy to establish
isolated virtual networks dynamically
– Allow increased access between coalition members
as new coalitions are formed or membership
changes to respond to unexpected events
Scenario - LockDown

You have an isolated local area
network with mixed access to web
services (some clients authenticated,
some not).
Scenario - LockDown


You have an isolated local area
network with mixed access to web
services (some clients authenticated,
some not).
You need to allow incoming
authenticated SSH or IPSec
connections.
Scenario - LockDown
• You have an isolated local area
network with mixed access to web
services (some clients authenticated,
some not).
• You need to allow incoming
authenticated SSH or IPSec
connections.
• When such connections are active,
you want to lock down your servers
and require stronger authentication
and confidentiality protection on all
accesses within the network.
Malicious Code
Disclaimer
• Some techniques and tools mentioned in this class
could be:
Dangerous
– Illegal to use
– Dangerous for others – they can crash machines
and clog the network
– Dangerous for you – downloading the attack code
you provide attacker with info about your machine
• Don’t use any such tools in real networks
– Especially not on USC network
– You can only use them in a controlled
environment, e.g. DETER testbed
Intrusions
• Why do people break into computers?
• What type of people usually breaks into computers?
• I thought that this was a security course. Why are we
learning about attacks?